PatchSiren cyber security CVE debrief

CVE-2026-44848 portainer CVE debrief

Portainer Community Edition versions 2.33.0 through 2.33.7, 2.39.x prior to 2.39.2, and 2.41.0 contain a critical authorization bypass in Docker plugin management. The `/plugins/*` endpoints were not registered with an access-control handler, allowing standard users with endpoint access to invoke privileged plugin operations—including installation and enabling—directly against the underlying Docker daemon. This vulnerability exposes container infrastructure to complete compromise when non-administrative Portainer users (Standard User role or any endpoint-access-granted role) are provisioned. The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and high impacts across confidentiality, integrity, and availability for both the vulnerable component and subsequent systems.

Vendor: portainer
Product: Unknown
CVSS: CRITICAL 9.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-28
Original CVE updated: 2026-05-29
Advisory published: 2026-05-28
Advisory updated: 2026-05-29

Who should care

Organizations operating Portainer Community Edition for multi-tenant container management; security teams responsible for container platform hardening; DevOps engineers managing Docker endpoint access controls; compliance auditors evaluating RBAC implementation in container orchestration platforms.

Technical summary

The vulnerability stems from unregistered handler middleware on Docker plugin API endpoints within Portainer's HTTP routing layer. Standard user authentication tokens, when presented to `/plugins/*` paths, bypass the RBAC enforcement layer that normally gates administrative operations. This architectural gap permits direct proxying of plugin lifecycle commands to the Docker daemon socket without privilege elevation checks. Docker plugins execute with host-level capabilities, enabling container escape, host filesystem access, and lateral movement within containerized infrastructure. The attack requires valid standard user credentials and network reachability to the Portainer API, with no user interaction required.

Defensive priority

critical

Recommended defensive actions

Upgrade Portainer Community Edition to version 2.33.8, 2.39.2, or 2.41.0 or later immediately.
Audit endpoint access assignments to identify standard users with Docker endpoint permissions and verify no unauthorized plugin installations occurred.
Review Docker daemon audit logs for plugin-related operations executed by non-administrative Portainer users between initial deployment of affected versions and patching.
Implement network segmentation to restrict Portainer instance access to administrative interfaces only.
Validate that all plugin management endpoints enforce proper RBAC controls after upgrade.

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-rrmm-9v76-h3p4. Affected versions explicitly enumerated: 2.33.0–2.33.7, pre-2.39.2, and 2.41.0. Patched versions: 2.33.8, 2.39.2, 2.41.0. CWE-862 (Missing Authorization) classified as primary weakness.

Official resources

2026-05-28